GPOs not updating settings and GPUPDATE not completed in expected time

I'm having a few different issues with my GPOs and I'm not sure if they are related or not. I have a domain with two Windows 2003 R2 Ent. DCs and approximately 75 PCs. I've never noticed issues with my GPOs until recently when I wanted to push out some changes to the Windows Firewall. The majority of my PCs are Windows XP SP3. When I run gpresult it shows that the correct policy is being applied and when I run rsop.msc I find the correct settings for the firewall. However, when I open up Windows Firewall, the changes haven't been made.

While I was testing this, I tried running gpupdate and found that on the XP PCs it times out with:
User Policy Refresh has not completed in the expected time. Exiting...
User Policy Refresh has completed.
Computer Policy Refresh has not completed in the expected time. Exiting...
Computer Policy Refresh has completed.

I placed a test PC and user in an OU that only has one applied GPO (default domain policy which includes both user and computer settings). When I run gpupdate /target:user it completes successfully but /target:computer times out.

I'm not sure if these two are related. I'm more concerned about not being able to change the Firewall settings with a GPO.

A mixed Windows XP environment is one in which there are both Windows XP with SP1 or Windows XP with no service packs installed and Windows XP with SP2-based computers present. For computers running Windows XP with SP1 or Windows XP with no service packs installed, the only way to control Windows Firewall behavior through Group Policy is to use the Prohibit use of Internet Connection Firewall on your DNS domain network Computer Configuration Group Policy setting in Computer Configuration/Administrative Templates/Network/Network Connections. This Group Policy setting is still present when Group Policy objects are updated for the new Windows Firewall settings. Computers running Windows XP with SP1 or Windows XP with no service packs installed only implement the Prohibit use of Internet Connection Firewall on your DNS domain network Computer Configuration Group Policy setting.

Computers running Windows XP with SP2 implement both the Prohibit use of Internet Connection Firewall on your DNS domain network setting and the new Windows Firewall settings in the following way:

If the Prohibit use of Internet Connection Firewall on your DNS domain network setting is enabled and there are no changes to the default values of the new Windows Firewall settings, then Windows Firewall is disabled when connected to the network from which the Group Policy object was obtained.

If the Prohibit use of Internet Connection Firewall on your DNS domain network setting is enabled and the Windows Firewall: Protect all network connections setting is enabled, then Windows Firewall is enabled when connected to the network from which the Group Policy object was obtained with new Windows Firewall settings.

MKLINE71:
I just removed the User Profile Hive Cleanup Service (which I had installed earlier due to a recommendation I read somewhere) and installed the policy reporter and now the GPUPDATE finishes on the test PC. That seems a little odd to me. I'm going to start linking the other policies to my test OU and see if any cause it to timeout.

BTRIVETT:
I'm looking through my GPOs and I have one GPO with Prohibit use of Internet Connection Firewall on your DNS domain network ENABLED. I have another GPO with Windows Firewall: Protect all network connections ENABLED. Both GPOs are linked to the same OU in which all of my PCs reside.

I'm not using roaming profiles... i just read about UPH clean and installed it. Didn't really understand what all it was for. I just reinstalled it and gpupdate still works. Come to think of it, it was not working at first just like the rest of our PCs then I removed the PC and user and put them in a test OU with only the default GPO linked and then gpupdate worked at first and then stopped working for no apparent reason. Now it's working again. Crazy. I'm going to start linking GPOs and see if it breaks on one of them.

Something screwy is going on here. I started adding back GPOs to the Test OU and kept doing gpupdate with no issues. I rebooted and still no issues with gpupdate. Eventually I added back all of the GPOs (I checked gpresult and they were all there) and still no issues, so I moved the PC back to the OU with all the other desktops, rebooted, and tried to do gpupdate but to no avail. So I moved it back to the test OU, still didn't work. So I unlinked all of the GPOs and still gpupdate times out. I'm waiting for it to refresh right now and then I'll post logs from userenv. Is there a particular section I should post?

OriNetworks:
I tried out your suggestion. It appears that if the PC is in an OU that is not associated with any GPOs other than the default domain policy then I can run gpupdate /target:computer /force as a local admin. When I move the PC to an OU that has other associated GPOs then running gpupdate /target:computer /force as a local admin fails (gpupdate /target:user /force fails too). It gets a little hairy when I'm moving the PC back and forth between OUs as it seems that the gpupdate results aren't always consistent, but I think what I said above is true for the most part.

I also looked at the event logs on the local PC for indications of a corrupt group policy but didn't find anything.

I tried looking through the userenv logs (i have verbose logging enabled) but I don't really see much going on when I run gpupdate.

Well I figured it out and both issues (gpudate time out and Firewall setting not propagating through GPO) were related. Here is how I figured it out:

I went back to adding GPOs to my OU one at a time and made an odd discovery (maybe its common knowledge to others). I am now certain I know which one of my GPOs is causing the gpupdate issue. I thought I knew which one was causing the problem earlier but I wasn't getting consistent results. Until I found this pattern:
1. Remove problem GPO and reboot
- gpupdate /target:user - completes
- gpupdate /target:computer - times out
- Firewall settings not updated
2. Reboot a 2nd time
- gpupdate /target:user - completes
- gpupdate /target:computer - completes
- Firewall settings updated
3. Add back problem GPO and reboot
- gpupdate /target:user - times out
- gpupdate /target:computer - completes
4. Reboot a 2nd time
- gpupdate /target:user - times out
- gpupdate /target:computer - times out

I just repeated the above scenario 3 times in a row and then tried it on multiple PCs with consistent results. It appears that the user policy is refreshed after one reboot but it takes two reboots to refresh the computer policy (or at least to cause/fix the gpupdate issue and propagation of firewall settings). If this wasn't the case I would have found the trouble GPO two days ago. Like I said, maybe this is common knowledge, but I've been searching through lots of forums and websites the past week on this issue and I never ran across it. Maybe someone else will find it helpful.

Now I just need to figure out which setting in my GPO is causing the problem, but that shouldn't be a big deal.

I think it would be good to keep this question so others know to follow this procedure if they run into a problem like this. Maybe the authors last post could be marked as the answer and hopefully let us know exactly what setting in the GPO was wrong.

Check to make sure you haven't enabled the group policy setting
Disable background refresh of Group Policy
Computer Configuration\Administrative Templates\System\Group Policy\

"Prevents Group Policy from being updated while the computer is in use. This policy applies to Group Policies for computers, users, and domain controllers."
This setting gives the same result you are seeing when you run GPUPDATE

Good call DataBitz. This was the setting in my GPO that was causing problems. After my discovery yesterday, and before disabling this setting, I started rebooting the PCs with my problem GPO twice and noticed that my firewall settings updated after the second reboot, but gpupdate still did not work. Then I saw your post and disabled that setting. Now after one reboot gpupdate works and the firewall settings that I changed in the GPO get updated. If this setting is enabled, GPUPDATE will not work and it appears that GPO computer policies will not take affect until the computer is rebooted twice.

This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource.
Use Google, Bing, or other preferred search engine to locate trusted NTP …